My normally squeeky clean computer is nasty with continual blocks by Norton because while I was out of town my mother-in-law was using it for email and of course my wife saw just too late that she clicks on some "you've won $500 email" and the corresponding link. Can't believe some people don't realize that's all spam. Sigh....
Anyhow that was last week I believe (haven't been home much). Norton said to do Power Eraser but that came up negative and I even got a message saying Norton had an error (but thankfully it keeps blocking). I was about to try some more drastic things I read about on other forums but then found out about a superhero here called Quads that somehow knows the secret to fixing these things. If that is true, I'd LOVE your help.
My computer is running a 64-bit version of Windows 7. I do have a flashdrive.
If you end up with any time to help, I'd be most appreciative.
You probably have the zeroaccess!inf4 virus... Quads on here I doubt will help you because I have yet to see him actually do anything except that you confirm the problem because he wont help even if all you've used is norton... Go up tosupport and click on virus....make the phone call and do the 100$ virus removal and allow them to remotely access your computer...it is completely safe and you see exactly what they are doing. I just did it and it was so much better and faster than trying to listen to the very judgeMENTAL quads. And it cleared allll issues in my computer including a root kit that I had noticed but couldn't remove myself
I've read a couple of threads that he's fixed. He's volunteer so has every right not to help if he doesn't want to. It would just be a bummer to spend $100 to a company that I've already paid money to in order to keep this from happening...sigh. It might come to that but I'll probably check with a local computer place first. Thanks for your input. Maybe mom-in-law will contribute towards the $100 LOL.
Yeah it was hard for me too, but I had not used anything except norton to try and resolve the issue and he claimed I had used more which I hadn't so it showed me he doesn't know enough to help others... I have researched his topics for several days now on zeroaccess and he has not successfully solved a single one...just gets up to the log and tells them they did something wrong, which out of many many posts, I doubt every single person did it wrong....not worth the time
ANY other user other than the thread starter is not to use any instructions, scripts or proceedures, The work though in cleaning a system is individual and only for that system due to a number of factors.
Unfortunately, with the amount of threads means the waiting time is longer, Norton continually Blocking files won't hurt your system but is is just annoying, Please wait and be patient. I am trying to keep up, spending hours here to script and clean machines on a first come/first served basis. If you or someone adds to your thread It will be pushed back in line due to the new update. I use the boards in reverse to what is seen
Please do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask nothing extra or run things twice
If I ask a Question just answer it, don't run anything unless it states.
Major steps used:
1. Find
2. Break
3. Destroy
4. Cleanup (including system as a whole)
Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )
Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
Although zeroaccess is detected I have had to remove more than that on machines, like a Bootkit, BCD fix, partition removal, FakeAV and any other objects as a total clean up.
Transfer it on to the Flash Drive / portable Hard Drive.
Enter System Recovery Options.
To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Choose your language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair System Restore Windows Complete PC Restore Windows Memory Diagnostic Tool Command Prompt
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive / portable Hard Drive letter and close the notepad.
In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the flash drive. restart the system and load Windows Please attach the log in your reply.
Thanks for the detailed directions. I'm ok with some computer stuff but know nothing about this. Great work.
A couple things that might matter and might not, but thought I'd let you know:
* The error I mentioned before with Norton I found upon restart. Something called one click tried to load and then it said error 5013,3.
* On the recovery options part where I selected user account I wasn't entirely sure what to do. The user name I usually click on wasn't there. There was one called ASPNET that needed a password, one called homegroup or something like that, one called Mom and Dad (which is the other user name upon start up from when my parents needed to stay with us), and one called USER. I just chose USER and ran the report. Hopefully that was ok.
* On the report I noticed it had the tdsskiller listed as downloaded to my desktop. It is downloaded along with 2 norton apps as part of the drastic measures I was about to take until I saw your posts on this forum. So it hasn't been run (though I'm guessing you'd know that from the log - just wanted to make sure).
* Oh, and on restart Adobe Player I think it was wanted to update but I didn't let it because I didn't want to mess with anything. If I should, just let me know.
That said, you should definitely get foreign language credit for being able to read all that and make sense of it. The only part I really got was the one that said zeroaccess and ATTENTION! Grrr. Thanks for helping me get rid of that evil.
Download the script attached, needs to be the same file name as well (fixlist.txt), Copy across to flash drive
NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system
Now please enter System Recovery Options again. Like previously
Select Command Prompt
In the command window type in notepad and press Enter.
The notepad opens. Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.
In the command window type e:\frst.exe or frst64.exe and press Enter Note: Replace letter e with the drive letter of your flash drive.
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.
It's amazing how quick you are at doing stuff on these forums.
I won't even pretend to know what that did - here's just what I noticed different on restart:
This is the first time the trojan.zeroaccess didn't show up on Norton's blocker I think. The trojan.Gen.2 did but only once (Norton says it quarantined it) instead of the usual 4 times or so.
Ensure that Combofix is saved directly to the Desktop <--- Very important (Not in the Download(s) or Temp folders)
Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
Close any open browsers and any other programs you might have running
Right click the combofix.exe on the desktop and select from the menu "Run as Administrator"
If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review
****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze****
Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.
*EXTRA NOTES*
If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)
Again, not sure what magic you're running, but it seems to have helped (though again, I know nothing of this).
Thankfully Combofix has a second warning for disabling Norton because I found it wasn't enough to disable the antivirus auto-protect and firewall by right clicking the icon in the bottom right. The warning caused me to open up the security center and see there were more buttons I could uncheck. Hopefully that was done correctly, it seemed to do it's thing ok.
One thing you may want to mention in your already really detailed directions (I imagine you have these saved to copy and paste as you need to - and your last "extra note" saved me from having a heart attack :) ) is another note under the blue font that Combofix may take longer (by hours) than it says. I think the program says 10 minutes or double for bad infections but it was processing after step 4 for almost 2 hours. I was a little worried but thankfully had errands to do and it did continue on its merry way after awhile. Again, nothing wrong with your directions at all, it's Combofix's directions that are misleading.
I have Norton up and running again and it didn't pick up anything. I don't want to do anything (scan, reboot, etc) unless you tell me to though because you are definitely the master exorcist here. Oh, and Norton didn't automatically try to run that One Click program on reboot so I don't know if it still has any kind of error code.
One last thing that probably doesn't matter. If having multiple users is bad in any way, I can delete the Mom & Dad user. They aren't here anymore so it isn't needed. Won't touch unless you say so though.
I'll attach the log file. It didn't seem like it had all the info so I also had the program make a txt file of the results.
One strange thing to note: when it found the second one on the list (patched.gen.b trojan), Norton suddenly popped up as well saying there was a zeroaccess!inf4 that needed manual removal.
If you're able to figure this out, I'll definitely owe you lunch or something, sheesh.
"One strange thing to note: when it found the second one on the list (patched.gen.b trojan), Norton suddenly popped up as well saying there was a zeroaccess!inf4 that needed manual removal. "